On March 26, 2025, Lukoil, one of the world's largest vertically integrated oil and gas companies, fell victim to a significant cyberattack that disrupted its IT infrastructure. The incident was reported by the Center for Monitoring and Management of the Public Communications Network (CMU SSOP) of the Main Radio Frequency Center (GRChTs), which operates under Roskomnadzor, the Russian telecommunications watchdog. According to the CMU SSOP, the company's critical infrastructure remained unaffected, and efforts to mitigate the consequences of the attack were underway.
The attack was identified as a virus-encryptor, according to sources from various information security companies, including RBC. As of 1:00 PM Moscow time, access to Lukoil's infrastructure had not been restored. Sources familiar with the situation indicated that the attack impacted two major divisions of the company, and recovering the systems might take up to a day.
Reports from Telegram channels suggested that employees at Lukoil were unable to log into their work accounts and were instructed to turn off all computers in the domain until further notice. The company also disconnected some departments from the corporate network and restricted access to internal databases. This led to significant operational disruptions, with reports of employees being unable to use electronic passes to enter offices, necessitating manual checks by security personnel.
Customers of Lukoil gas stations faced payment issues, as they were unable to pay for gasoline with cards due to the ongoing disruptions. Downdetector, a service that tracks outages, indicated that the most complaints originated from regions including the Khanty-Mansiysk Autonomous Okrug, Sverdlovsk, Nizhny Novgorod, Volgograd, and Tver. Despite the chaos, Lukoil's shares on the Moscow Exchange showed no immediate reaction to the incident.
In a related development, users reported a massive failure of the Fast Payment System (FPS) on the same day, with more than 6,000 complaints logged by Downdetector at peak times. Although the exact reasons for the FPS failure were initially unclear, it was speculated that a DDoS attack on the National Payment Card System (NSPK) might be involved. However, NSPK later confirmed that the issues were not due to a hacker attack.
As the situation unfolded, it was reported that several banks and mobile operators were also experiencing service disruptions. Users reported problems with banking applications and payment systems, indicating a broader issue affecting multiple sectors. Analysts noted that this incident was not isolated, as similar attacks had previously targeted other sectors, including financial institutions and construction companies.
Independent analyst Dmitry Adamidov remarked on the increasing frequency of such attacks, stating that the infrastructure of vital sectors is often targeted. He emphasized that while the attack on Lukoil is significant, it may not be catastrophic for the company, as its core operations in oil production are likely to continue unaffected.
In the wake of the attack, Lukoil's board of directors had recently recommended a final dividend payout of 541 rubles per share for the year 2024, which underscores the company's ongoing financial stability despite the cyber disruptions. However, the market's reaction to the attack was subdued, with experts noting that there was no widespread panic among investors.
As the day progressed, the cyberattack on Lukoil's infrastructure appeared to be subsiding, with related services beginning to return to normal operations. Nevertheless, the incident raised concerns about the security of critical infrastructure in Russia and the potential for future attacks, as hackers continue to evolve their tactics.
In conclusion, the cyberattack on Lukoil serves as a stark reminder of the vulnerabilities that even the largest corporations face in an increasingly digital world. While the immediate impact on Lukoil's operations appears manageable, the broader implications for cybersecurity across industries remain a pressing concern.
